With modern processors, it is possible~\cite{??,??,??}, but difficult,

134

to compute exact costs or to reasonably approximate them, since the execution

135

of the program itself has an influence on the speed of processing. This is due

136

mainly to caching effects and memory effects in the processor, used, for

137

instance, to perform branch prediction. For this reason, at the current stage

138

of CerCo we decided to focus on 8-bits microprocessors that are still widely

139

used in embedded systems and whose cost model is easily predictable.

140

141

In particular, we have fully formalized an executable formal semantics of

142

the Family of 8 bits Freescale Microprocessors~\cite{oliboni} and a similar

143

one for the MCS-51 microprocessors. The latter is the one described in this

144

paper. The main focus of the formalization has been on capturing the

145

intensional behaviour of the processor. The main problems we have faced,

146

however, are mainly due to the extreme unorthogonality of the memory model

147

and instruction sets of the MCS-51 microprocessors. To cope with this

148

unorthogonality and to have executability, we have exploited the dependent

149

type system of the interactive theorem prover Matita.

150

151

%Compiler verification, as of late, is a `hot topic' in computer science research.

152

%This rapidly growing field is motivated by one simple question: `to what extent can you trust your compiler?'

153

%Existing verification efforts have broadly focussed on \emph{semantic correctness}, that is, creating a compiler that is guaranteed to preserve the semantics of a program during the compilation process.

154

%However, there is another important facet of correctness that has not garnered much attention, that is, correctness with respect to some intensional properties of the program to be compiled.

119

Further, we see our approach as being relevant to the field of compiler verification (and construction) itself.

120

For instance, an optimisation specified only extensionally is only half specified; though the optimisation may preserve the denotational semantics of a program, there is no guarantee that any intensional properties of the program, such as space or time usage, will be improved.

121

Another potential application is toward completeness and correctness of the compilation process in the presence of space constraints.

122

Here, a compiler could potentially reject a source program targetting an embedded system when the size of the compiled code exceeds the available ROM size.

123

Moreover, preservation of a program's semantics may only be required for those programs that do not exhaust the stack or heap.

124

Hence the statement of completeness of the compiler must take in to account a realistic cost model.

125

126

In the methodology proposed in CerCo we assume we are able to compute on the object code exact and realistic costs for sequential blocks of instructions.

127

With modern processors, though possible~\cite{??,??,??}, it is difficult to compute exact costs or to reasonably approximate them.

128

This is because the execution of a program itself has an influence on the speed of processing.

129

For instance, caching and memory effects in the processor are used in advanced features such as branch prediction.

130

For this reason CerCo decided to focus on 8-bit microprocessors.

131

These are still widely used in embedded systems, and have the advantage of an easily predictable cost model due to the relative sparcity of features that they possess.

132

133

In particular, we have fully formalised an executable formal semantics of a family of 8 bit Freescale Microprocessors~\cite{oliboni}, and provided a similar executable formal semantics for the MCS-51 microprocessor.

134

The latter work is what we describe in this paper.

135

The main focus of the formalisation has been on capturing the intensional behaviour of the processor.

136

However, the design of the MCS-51 itself has caused problems in our formalisation.

137

For example, the MCS-51 has a highly unorthogonal instruction set.

138

To cope with this unorthogonality, and to produce an executable specification, we have exploited the dependent type system of Matita, an interactive proof assistant.

The MCS-51 is an eight bit microprocessor introduced by Intel in the late 1970s.

160

144

Commonly called the 8051, in the three decades since its introduction the processor has become a highly popular target for embedded systems engineers.

161

Further, the processor and its immediate successor, the 8052, is still manufactured by a host of semiconductor suppliers---many of them European---including Atmel, Siemens Semiconductor, NXP (formerly Phillips Semiconductor), Texas Instruments, and Maxim (formerly Dallas Semiconductor).

145

Further, the processor, its immediate successor the 8052, and many derivatives are still manufactured \emph{en masse} by a host of semiconductor suppliers.

162

146

163

147

The 8051 is a well documented processor, and has the additional support of numerous open source and commercial tools, such as compilers for high-level languages and emulators.

164

148

For instance, the open source Small Device C Compiler (SDCC) recognises a dialect of C, and other compilers targeting the 8051 for BASIC, Forth and Modula-2 are also extant.

165

An open source emulator for the processor, MCU8051 IDE, is also available.

149

An open source emulator for the processor, MCU-8051 IDE, is also available.

150

Both MCU-8051 IDE and SDCC were used profitably in the implementation of our formalisation.